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1. A method of integrating a device into a secure 
network, comprising : 

establishing a tunnel between an authenticator and a 
device, the tunnel using a tunnel protocol, the authenticator 
having a first public key, the device having a second secret 
and a second public key; 

hashing a first secret using the first public key, the 
second public key and a random number generated from the 
tunnel protocol to produce a hash of the first secret; and 

establishing an authenticated session between the device 
and the authenticator when the hash of the first secret 
matches a hash of the second secret. 

2. The method of claim 1, further comprising: 
hashing the second secret at the device to produce the 

hash of the second secret using the first public key, the 
second public key and a second random number generated from 
the tunnel protocol. 

3. The method of claim 1, wherein the authenticator has 
a first private key, the method further comprising: 

encrypting the hash of the first secret using the second 
public key; and 
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placing the encrypted hash into a message. 

4. The method of claim 3, further comprising signing the 
message with the first private key with a digital signature. 

5 

5. The method of claim 3, wherein the device comprises a 
second private key; and further comprising: 

checking the digital signature using a first public key; 

and 

10 decrypting the message using the second private key. 

6. The method of claim 1, further comprising: 
determining if a hash value of the second public key 

matches a displayed hash value observed at the device; and 
15 determining if the first secret matches a displayed 

secret observed at the device; 

wherein the second secret is the displayed secret after 
entry into a network console connected to the authenticator . 

20 7. The method of claim 6, wherein the device includes a 

label having the displayed hash value and the displayed 
secret . 
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8. The method of claim 5, wherein determining if the 
hash value of the second public key matches comprises: 

reading the displayed hash value; and 

verifying the displayed hash value at a network console, 

9. The method of claim 5, wherein determining if secret 
matches comprises : 

reading the displayed secret; and 

entering the displayed secret at a network console. 

10. The method of claim 5, wherein the device comprises 
a display and an application, the application rendering the 
displayed hash value and the displayed secret on the display. 

11. The method of claim 1, wherein the authenticator 
comprises a first credential list and the device comprises a 
second credential list, the method further comprising: 

determining if the public key from the device is on the 
first credential list; and 

determining if a public key from the device is in the 
second credential list. 
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12. The method of claim 1, wherein the authenticator 
comprises a first credential list and the device comprises a 
second credential list, the method further comprising: 

placing the first public key in the second credential 
5 list; and 

placing the second public key in the first credential 

list . 

13. An apparatus comprising: 

10 circuitry, for integrating a device into a secure 

network, to: 

establish a tunnel between an authenticator and the 
device, the tunnel using a tunnel protocol, the 
authenticator having a first public key, the device 
15 having a second secret and a second public key; 

hash a first secret using the first public key, the 
second public key and a random number generated from the 
tunnel protocol to produce a hash of the first secret; 
and 

20 establish an authenticated session between the 

device and the authenticator when the hash of the first 
secret matches a hash of the second secret. 
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14. The apparatus of claim 13, further comprising 
circuitry to : 

hashing the second secret at the device to produce the 
hash of the second secret using the first public key, the 
second public key and a second random number generated from 
the tunnel protocol. 

15. The apparatus of claim 13, wherein the authenticator 
has a first private key, further comprising circuitry to: 

encrypt the hash of the first secret using the second 
public key; and 

place the encrypted hash into a message. 

16. The apparatus of claim 15, further comprising 
circuitry to sign the message with the first private key with 
a digital signature. 

17. The apparatus of claim 15, wherein the device 
comprises a second private key; and further comprising 
circuitry to: 

check the digital signature using a first public key; and 
decrypt the message using the second private key. 
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18. The apparatus of claim 13, further comprising 
circuitry to: 

determine if a hash value of the second public key 
matches a displayed hash value observed at the device; and 
5 determine if the first secret matches a displayed secret 

observed at the device; 

wherein the second secret is the displayed secret after 
entry into a network console connected to the authenticator . 

10 19. The apparatus of claim 18, wherein the device 

includes a label having the displayed hash value and the 
displayed secret. 

20. The apparatus of claim 17, wherein to determine if 
15 the hash value of the second public key matches comprises: 

reading the displayed hash value; and 

verifying the displayed hash value at a network console. 

21. The apparatus of claim 17, wherein to determine if 
20 secret matches comprises: 

reading the displayed secret; and 

entering the displayed secret at a network console. 
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22. The apparatus of claim 17, wherein the device 
comprises a display and an application, the application 
rendering the displayed hash value and the displayed secret on 
the display. 

23. The apparatus of claim 13, wherein the authenticator 
comprises a first credential list and the device comprises a 
second credential list, further comprising circuitry to: 

determine if the public key from the device is on the 
first credential list; and 

determine if a public key from the device is in the 
second credential list. 

24. The apparatus of claim 13, wherein the authenticator 
comprises a first credential list and the device comprises a 
second credential list, further comprising circuitry to: 

place the first public key in the second credential list; 

and 

place the second public key in the first credential list. 

25. An article comprising a machine-readable medium that 
stores executable instructions for integrating a device into a 
secure network, the instructions causing a machine to: 
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establish a tunnel between an authenticator and the 
device, the tunnel using a tunnel protocol, the authenticator 
having a first public key, the device having a second secret 
and a second public key; 

hash a first secret using the first public key, the 
second public key and a random number generated from the 
tunnel protocol to produce a hash of the first secret; and 

establish an authenticated session between the device and 
the authenticator when the hash of the first secret matches a 
hash of the second secret. 

26. The article of claim 25, instructions causing a 
machine to hash the second secret at the device to produce the 
hash of the second secret using the first public key, the 
second public key and a second random number generated from 
the tunnel protocol. 

27. The article of claim 25, wherein the authenticator 
has a first private key, further comprising instructions 
causing a machine to: 

encrypt the hash of the first secret using the second 
public key; and 

place the encrypted hash into a message. 
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28. The method of claim 27, further comprising 
instructions causing a machine to sign the message with the 
first private key with a digital signature. 

5 

29. The article of claim 27 , wherein the device 
comprises a second private key; and further comprising 
instructions causing a machine to: 

check the digital signature using a first public key; and 
10 decrypt the message using the second private key. 

30. The article of claim 25, further comprising 
instructions causing a machine to: 

determine if a hash value of the second public key 
15 matches a displayed hash value observed at the device; and 

determine if the first secret matches a displayed secret 
observed at the device; 

wherein the second secret is the displayed secret after 
entry into a network console connected to the authenticator . 

20 

31. The article of claim 30, wherein the device includes 
a label having the displayed hash value and the displayed 
secret . 
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32. The article of claim 29, wherein instructions 
causing a machine to determine if the hash value of the second 
public key matches comprises: 

5 reading the displayed hash value; and 

verifying the displayed hash value at a network console. 

33. The article of claim 29, wherein instructions 
causing a machine to determine if secret matches comprises: 

10 reading the displayed secret; and 

entering the displayed secret at a network console. 

34. The article of claim 29, wherein the device 
comprises a display and an application, the application 

15 rendering the displayed hash value and the displayed secret on 
the display. 

35. The article of claim 25, wherein the authenticator 
comprises a first credential list and the device comprises a 

20 second credential list, further comprising instructions 
causing a machine to: 

determine if the public key from the device is on the 
first credential list; and 



-21- 



Attorney Docket No.: 10559/851001 
Intel Docket No.:Pl6877 

determine if a public key from the device is in the 
second credential list. 

36. The article of claim 25, wherein the authenticator 
5 comprises a first credential list and the device comprises a 

second credential list, further comprising instructions 
causing a machine to: 

place the first public key in the second credential list; 

and 

10 place the second public key in the first credential list. 

37. An electronic apparatus comprising: 
an authenticator comprising: 

circuitry, for integrating a device into a secure 

15 network, to: 

establish a tunnel between the authenticator 
and the device, the tunnel using a tunnel protocol, 
the authenticator having a first public key, the 
device having a second secret and a second public 

20 key; 

hash a first secret using the first public key, 
a second public key and a random number generated 
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from the tunnel protocol to produce a hash of the 
first secret; 

send a hash of the second secret to the device 
for verification against a hash of the second 
5 secret; and 

establish an authenticated session between the 
device and the authenticator when the hash of the 
first secret matches the hash of the second secret. 

10 38. The apparatus of claim 37, wherein the authenticator 

has a first private key, the authenticator further comprising 
circuitry to: 

encrypt the hash of the first secret using the second 
public key; and 
15 place the encrypted hash into a message. 

39. The apparatus of claim 38, the authenticator further 
comprising circuitry to sign the message with the first 
private key with a digital signature. 

20 

40. A consumer electronic product, comprising 
a display; 

memory; 
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a processor; and 

circuitry to connect to a secure network, the circuitry 
comprising circuitry to: 

establish a tunnel between an authenticator and the 
product, the tunnel using a tunnel protocol, the 
authenticator having a first public key, the product 
having a second secret and a second public key; 

hash the second secret to produce the hash of the 
second secret using the first public key, the second 
public key and a random number generated from the tunnel 
protocol; and 

establish an authenticated session between the 
device and the authenticator when a hash of the first 
secret matches the hash of the second secret. 

41. The product of claim 40, wherein the product is a 
cellular phone. 

42. The product of claim 40, wherein the product is a 
personal digital assistant. 

43. The product of claim 40, wherein the product is a 
computer system. 
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44. The product of claim 40, wherein the product is 
wireless camera. 



